CVE-2026-35208 — lichess.org is the forever free, adless and open source chess server. Any…
Image via opengraph.githubassets.com
🚨 CVE-2026-35208 lichess.org is the forever free, adless and open source chess server. Any approved streamer can inject arbitrary HTML into /streamer and the homepage “Live streams” widget by placing markup in their Twitch/YouTube stream title. CSP is present and blocks inline script execution, but
don't treat external stream titles as HTML · lichess-org/lila@0d50026
github.com
What This Means For You
- New vulnerability disclosed — verify if your stack is exposed.
- New tool or resource available — evaluate for your security workflow.
Related ATT&CK Techniques
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-35208 | HTML Injection | lichess.org: Arbitrary HTML injection into /streamer and homepage 'Live streams' widget via Twitch/YouTube stream title. Vulnerable component: Streamer profile processing. Fixed by commit 0d5002696ae705e1888bf77de107c73de57bb1b3. |
| CVE-2026-35208 | Server-Side Injection | lichess.org: Server-side HTML injection sink in streamer stream titles. Affects: Approved streamers. Triggered by placing markup in Twitch/YouTube stream titles. |
Source & Attribution
| Source Platform | Telegram |
| Channel | CVE Notify |
| Channel ID | 1129491012 |
| Message ID | 158223 |
| Published | April 07, 2026 at 00:26 UTC |
| Original Link | https://github.com/lichess-org/lila/commit/0d5002696ae705... |
This content was curated and summarized by Shimi's Cyber World for informational purposes. It is not copied or republished in full. All intellectual property rights remain with the original author and source.
Believe this infringes your rights? Submit a takedown request.
Found this interesting? Follow us to stay ahead.
Share